Snippet #1: The Saw - Risk Management (Chapter 2)

Below is an extract from chapter 2 of my upcoming book, titled "Real life cybersecurity: How program building actually works". It draws an analogy between a simple tool, namely the saw, and risk management in the cybersecurity world. You can find the book at this link: https://a.co/d/eRudF4m and the full table of contents at this link: https://www.dhirubhai.net/posts/roland-gharfine-1a7057100_askroland-cybersecurity-linkedin-activity-7140185653924782080-IK8z?utm_source=share&utm_medium=member_desktop

It's currently only available for pre-order as a Kindle ebook version, with the release date set to December 31st 2023, and the paperback version upcoming on January 31st 2024. Enjoy.

I remember being around my old village and watching farmers and gardeners trim away at fruit trees, carefully checking each branch and deciding on where to apply their touch for optimal tree health. I haven’t been back for a few years now, I’m curious whether the agricultural landscape still looks the same, or whether modernity and urban transformation has eaten away at it like other places in my home country. I hope it’s the former, but wouldn’t be surprised if it’s the latter.

Just like the saw, risk management ultimately cuts away the unnecessary. It’s the Occam's razor of security decisions, and the way we can make decisions and trim away what doesn’t matter in service of optimal performance and assuring the best outcomes for the context of the organization. Just like the saw allows the tree to take an optimal and healthy shape, so does risk management help our cybersecurity program be optimal and scientifically designed, as well as accurately informed. Precision is important for optimal outcomes, true for my tiny village, and true for cybersecurity. Have I exhausted the metaphor yet or should I keep going?

This is hands down my favorite topic in the realm of cybersecurity program building, and also the one I find the most numbingly boring. If you hate talking about it, I understand you and I feel the same way with every cell of my body. As mentioned in chapter 1, there is no glamor to be had, it’s all difficult and nuanced strategizing if you want to be a leader in cybersecurity. So why is this topic my favorite? I believe you might be able to guess already. Risk management is as strategic, fundamental, and crucial as it gets.

Risk is the universal language of our organizations. Why do we do anything at all? I would argue: to treat risks. There are project risks, business risks, financial risks, and flavors of risks you’d probably struggle to think of off the top of your head or conceptualize if you don’t have expertise in the specific domain where said risks apply, and of course, cybersecurity is one of those domains. How does risk management, seen from the lens of a unified risk framework, help us achieve communication using this universal language? If we work in a unified way, and treat all of our landscape as risks that need to be reduced, we can achieve seamless communication and start to strategize together at the organizational level. Are we a risk-taking, innovation-leaning, budget-wielding organization? Great, let’s reflect that in our risk management. Are we the exact opposite? Still awesome, let’s use risk as a common denominator and push in the same direction rather than get stuck due to unnecessary friction.

So we recognize risk as our common language, cool story right? But what’s next, you might be asking. Well, the reason this common language is needed is not just to describe our risk landscape as an organization and be proud of our achievement of writing it on a piece of paper and completing the exercise together. What we rather need is a common decision making framework. We don’t go through this exercise just for the sport and the love of the risk game or spreadsheets, but rather to collect both data and input from various corners of our organization so that we can make more informed decisions. I hope you’re ready to rumble folks, we’re about to discuss something of the utmost importance, which many organizations get so desperately wrong, and which can lift not only your cybersecurity program but the whole strategic planning of your organization if done correctly and purposefully. Hold on to your hats.